kernel: Enable CONFIG_BPF_LSM on Ubuntu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
linux-aws (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Medium
|
Unassigned | ||
Hirsute |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
== Impact ==
Enabling CONFIG_BPF_LSM in the KConfig of Ubuntu Kernels, allowing users to use BPF LSM programs.
== Background ==
The BPF LSM was merged into the Linux kernel 5.7
https:/
It allows users to implement MAC and Audit Policies using BPF programs. As a follow-up from the interest generated by the LSM on BPF/Linux conferences and on request from users, we’d like to request the enabling of CONFIG_BPF_LSM on Ubuntu starting with H.
The LSM won't be added to the list of active LSMs by default (in CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect function call overhead by registering an empty LSM hook for all hooks. However enabling it in the kernel config will support users who wish to use BPF LSM programs without needing to replace their kernel image.
The LSM can be made "active" by default when our work on getting rid of this overhead is merged in the kernel:
https://<email address hidden>
== Regression Potential ==
None. The LSM is not active by default, so it does not have any performance or functional regression.
CVE References
Changed in linux-aws (Ubuntu Groovy): | |
status: | New → In Progress |
importance: | Undecided → Medium |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1905975
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.